[Firehol-support] Can dnat from a non-gateway firewall work with FireHOL/iptables rules?

Whit Blauvelt whit at transpect.com
Wed Jul 30 03:45:27 BST 2014

> Also, with xinetd at least the method causes packets arriving at the
> internal server to have the apparent internal IP of the firewall rather
> than the real remote IP, which is decidedly less useful in the server logs
> there.

Let me correct myself. That's true of the logs if I telnet to port 25 of a
mail server within the LAN from outside. But in a real mail negotiation it
does log the remote IP rather than the internal IP of the firewall. So
Postfix, at least - maybe all mail servers - have a preferred, better source
for the remote IP info.

Probably I should just stick with xinitd here. Either that or play games
with iptables packet marking or the like. Still, if there's a clear
FireHOL/iptables recipee for the same result....

Speaking of packet marking, there was a question back a month or two here in
the archives on how to use iptables with OpenSWAN ipsec. The answer in pure
iptables syntax can look in part like this:

 # Mark IPSec, and allow decrypted IPSec.
 iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1 # udp/isakmp
 iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
 iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
 iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT
 iptables -t filter -A OUTPUT -m mark --mark 1 -j ACCEPT

In the case where I'm using that I've also got some other rules that may be
residual from trying to get it right without marking, or may be operational.
(It works, so I'm not fixing it further just now.) But if you're running
OpenSWAN or StrongSWAN in the mode where it doesn't have its own interface
to match against, marking is a standard way to handle it. 


More information about the Firehol-support mailing list